Providing SDA to IoT devices that you own
If the device manufacturer has added SDA to their IoT device and supporting applications, you can authorize groups of users or single users to have access to IoT devices, and you can define the level of access they have to the device.
These user groups and policies are stored in Device Management rather than on the device, giving you the ability to change these settings whenever you need.
Creating user groups
In Device Management Portal, you can define groups that contain different types of user, such as OEM technicians, service technicians, or device users. This enables you to give different groups of users different levels of access to the IoT device. For example, a junior technician may only be able to carry out basic maintenance tasks, whereas a senior technician can perform a broader range of tasks, including firmware upgrades.
To create a new group, in Device Management Portal, select Access management > Groups from the side menu, and click the New group button. You can then add users and define policies to set the permissions for this group.
Defining SDA policies
You use policies to define the operations that a user or group of users can perform on the IoT device. An SDA policy defines:
How long an access token is valid for (from one hour to two weeks).
The scope of the policy and whether the user has:
- Full access to the settings and maintenance tasks on the IoT device.
- Partial access to the IoT device, which restricts the user to a limited set of operations.
Note: The device manufacturer must provide you with a list of all the operations that can be performed from the mobile application. The list of operations that a technician can request must be the same in the code of your IoT device and SDA technician applications, and in your Device Management account.
Which devices are covered by the policy. You can reference devices in a policy using their device IDs, endpoint names, or the values of custom attributes.
Note: Custom attributes are key-value pairs that you can define in the Device Directory on the Device Management Portal. The device must have bootstrapped and registered to be visible in the portal so these attributes can be set, but the device does not have to be online at the time you set the attributes. Similarly, the device must have bootstrapped and registered if you want to use the Device ID in the access policy. The only reference you can use in an SDA access policy if the device has not bootstrapped and registered is the endpoint name.
Which users or user groups are included in this policy.
To create a new SDA policy:
- In Device Management Portal, from the Access management tab, select Access policies.
- Click the New access policy button.
The Portal guides you through a set of steps to define a policy.